Critical Security Flaws in AI Finance Put Millions in TVL at Risk

A major security breach has been uncovered in AI-powered finance. Researchers have exposed critical flaws in AI agent frameworks within blockchain ecosystems, putting millions of digital assets at risk. 

The findings reveal how attackers can manipulate the context in which AI agents operate, tricking them into making unauthorized transactions.

AI Agents Vulnerable to Context Manipulation

A joint study by SentientAGI, the Open AGI Foundation, and Princeton University has exposed a fundamental security gap in ElizaOS, an AI framework that handles financial transactions and also acts as a platform for other AI agents built on its basis.  

The study reveals a dangerous new attack method: context manipulation. Unlike direct prompt manipulation, this approach lets attackers embed malicious instructions within an agent’s memory or history, making them difficult to detect. 

Even if an AI agent appears to follow security guidelines, it can still be hijacked through exposure to altered historical data.

For example, an AI agent is designed to process blockchain transactions only when explicitly instructed by a verified user. 

However, an attacker can trick the agent into transferring funds by crafting a prompt, such as asking the agent to “summarize the last transaction and send it to this address.” The agent, fooled by the malicious instruction, then executes the transfer to the attacker’s account.

An illustration of crucial gaps in the security of the ElizaOS framework. Source: Arxiv

“Telling an AI agent ‘don’t do X’ isn’t a real safeguard,” the researchers warned. “Security must be built into the core values of the model, not just its interface.”

A Security Crisis in AI-Powered Finance

As AI agents become more common in financial management and automated trading, a new study highlights a serious security gap in these systems. 

Current safeguards, especially those based on simple prompt instructions—like telling an AI agent to reject unauthorized actions—fail against sophisticated attacks that subtly insert harmful instructions.

The study also reveals a major issue: ElizaOS shifts security responsibility to individual developers, many of whom neglect proper protections, leaving the system vulnerable to exploitation.

Another risk lies in the agent’s ability to interact with smart contracts automatically. If it connects to an unsecured or malicious contract, it could drain funds or expose sensitive data. Attackers can also manipulate the agent’s decisions through prompt injections or social engineering. 

Because multiple users share these agents, a single compromised interaction can spread malicious behavior, creating cascading vulnerabilities.

“The shared nature of these agents, where multiple users interact with and rely on the same system, further amplifies these risks. A single compromised interaction could propagate malicious behavior across multiple users, creating cascading vulnerabilities,” the document reads.

Industry Response and Possible Solutions

In response to these vulnerabilities, Sentient has proposed two key security solutions. The Dobby-Fi Model is an AI system focused on financial security, acting as a personal auditor by rejecting suspicious transactions and flagging risks at the model level. 

The Sentient Builder Enclave is a secure AI framework that strengthens alignment between AI agents and underlying models, minimizing the risk of manipulation.

Why This Matters

With AI playing a growing role in financial transactions, this research serves as a critical warning for the industry. Without proactive security measures, AI-driven finance could become a prime target for cybercriminals.